4

All I want is just get the Video Redirection for my Server to work...

The old onboard-management only provide TLS1.0. This server has a properly installed certificate, where corresponding CA is also installed on my computer.

I have changed C:\Program Files\Java\jre1.8.0_291\lib\security\java.security.

I tried everything, also to just delete TLS1.0 and TLS1.1 from the List. But that didn`t help. Even when the list is completely empty, I get the same error.

Changes made:

#jdk.certpath.disabledAlgorithms=MD2, MD5, \
#    RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \
#    include jdk.disabled.namedCurves

jdk.certpath.disabledAlgorithms=

#jdk.jar.disabledAlgorithms=MD2, MD5, RSA keySize < 1024, \
#      DSA keySize < 1024, include jdk.disabled.namedCurves

jdk.jar.disabledAlgorithms=

#jdk.tls.disabledAlgorithms=RC4, DES, MD5withRSA, \
#    DH keySize < 1024, EC keySize < 224, RSA keySize < 2048, 3DES_EDE_CBC, anon, NULL, \
#    include jdk.disabled.namedCurves

jdk.tls.disabledAlgorithms=

The Server uses: The connection to this site is encrypted and authenticated using TLS 1.0, RSA, and AES_128_CBC with HMAC-SHA1.

I have jre1.8.0_291 and jdk-15.0.1 installed. Both config files are identical in this regard (even thought the path is different: C:\Program Files\Java\jdk-15.0.1\conf\security\java.security. I still get the above error.

When I issue java --version in cmd.exe I get this output:

java 15.0.1 2020-10-20
Java(TM) SE Runtime Environment (build 15.0.1+9-18)
Java HotSpot(TM) 64-Bit Server VM (build 15.0.1+9-18, mixed mode, sharing)

I also entered the URL of the Website, from where I download the .jnlp file, into the "Configure Java" Application whitelist.

Do you have any ideas? Thanks in advance.

Improve this question
9
  • Can you try with this in the java.security file jdk.tls.disabledAlgorithms=SSLv3, TLSv1.1, TLSv1.2
    – Soumen Mukherjee
    Commented Jul 10, 2021 at 15:57
  • Try passing java -Djdk.tls.client.protocols=TLSv1.1,TLSv1.2 or just the version you need
    – SaleemKhair
    Commented Jul 10, 2021 at 15:57
  • I think TLS 1.0 was broken. As in there are real working exploits against the specification, so they removed it.
    – Elliott Frisch
    Commented Jul 10, 2021 at 15:59
  • @SaleemKhair I cannot use java binary to open this file. I have to use javaws avr.jnlp to launch this applet. Your above option doesn't work with javaws.
    – jank04
    Commented Jul 10, 2021 at 16:05
  • @ElliottFrisch They did not remove TLS1.0; it is just disabled default now. See: java.com/de/download/help/….
    – jank04
    Commented Jul 10, 2021 at 16:17

2 Answers 2

Reset to default
2

Fortunately I found the advanced tab in the "configure java" control panel. I can tick a checkbox there to use TLS1.0.

(Just as @JohannesB also commented).

I'll now change back to jdk.certpath.disabledAlgorithms=MD2, MD5, \ RSA keySize < 1024, DSA keySize < 1024, EC keySize < 224, \ include jdk.disabled.namedCurves and so on; therefore I can only accept my cipher suite and disallow any other older suites, which makes it a bit less insecure.

Improve this answer
1
  • I've been struggling with this issue for a couple days and your answer gave me the clue I needed. The real fix was to find the Java options under Control Panel and under tab Advanced enable the algorithms I needed. Thanks for this! +1
    – Alex
    Commented Oct 18, 2021 at 23:17
1

You can still modify jre\lib\security\java.security to not blacklist TLS 1.0 (at least on OpenJDK 1.8):

jdk.tls.disabledAlgorithms=None

I've built a portable JAVAWS launcher for JNLP files that come from IPMI / IMM / ILO / IRMC / IDRAC / KVM servers that should work on a fair high number of old servers. Security settings in my portable launcher are already preset to support prehistoric devices.

You can find the project at https://github.com/netinvent/ipmi-starter

Improve this answer

Not the answer you're looking for? Browse other questions tagged or ask your own question.